New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
signed integer overflow in S_study_chunk (regcomp.c:5444) #16173
Comments
From @geeknikTriggered while fuzzing v5.27.4-28-g60dfa51 ./perl -e 'm m0*0+\Rm' regcomp.c:5444:26: runtime error: signed integer overflow: SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior regcomp.c:5444:26 |
From @geeknikWhoops, that should be "signed" not unsigned. |
From @khwilliamsonOn Mon, 25 Sep 2017 23:19:46 -0700, brian.carpenter@gmail.com wrote:
The attached patch fixes this, and seems reasonable. The value is getting initialized to effective infinity, and then incremented. Just above, there is a special case to not incrment infinity, and it seems proper to do the same thing here. But since I don't understand study_chunk(), I won't apply the patch until the middle of April, to give people a chance to say that it shouldn't be applied. -- |
From @khwilliamson0006-regcomp.c-Don-t-try-to-increment-infinity.patchFrom 2c03b53a90c951ba9aef715d6b8a0ec91fe55994 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sun, 1 Apr 2018 13:58:47 -0600
Subject: [PATCH 6/6] regcomp.c: Don't try to increment infinity
This value can be infinity (which is here SSize_t_MAX). Leave it there.
---
regcomp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index 018d5646fc..47e86933f7 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -5476,7 +5476,9 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
/* Cannot expect anything... */
scan_commit(pRExC_state, data, minlenp, is_inf);
data->pos_min += 1;
- data->pos_delta += 1;
+ if (data->pos_delta != SSize_t_MAX) {
+ data->pos_delta += 1;
+ }
data->cur_is_floating = 1; /* float */
}
}
--
2.11.0
|
The RT System itself - Status changed from 'new' to 'open' |
From @khwilliamsonFixed by commit |
@khwilliamson - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been Perl 5.28.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#132164 (status was 'resolved')
Searchable as RT132164$
The text was updated successfully, but these errors were encountered: